@jongalloway @carolineggordon that was NOT the vulnerability; that was a failure to sanitize the URL field on the user page.